Author: W B Hacker Date: To: exim users Subject: Re: [exim] What's the best way to secure both
SMTPandPOPauthentication?
jtelep@??? wrote:
*snip* >
> Great, this helps so much. Thanks for your help Bill. So just for a
> quick recap to be sure that I understand this correctly, once TLS is
> enabled it handles all of encryption regarding SMTP traffic including the
> authentication.
You can get the gory details on TLS with a brief Google.
Basically, it is the latest incarnation of SSL, with a new flilipo - the ability
to 'negotiate' not only which keys and encryption standards are to be used, but
also whether encryption is offered/accepted *at all*. That allows more flexible
use of ports.
> So I can use sasl-plain auth without being concerned that
> someone can "sniff" the user_id and password because the connection has
> already been encrypted. Let me know if I am off base here at all.
>
> Thanks again!
>
So long as you have set Exim to *only* accept authentication under TLS, *AND*
set the MUA to *always* use TLS, the only thing a 'snooper' should be able to
see 'en claire' is the negotiation handshake. The uid:pwd exchange should take
place *after* the encrypted 'tunnel' has been agreed and established, so even
'plain' is protected and sasl is optional.
You will want to be sure that your smtp MUA-to-Exim-as-MSA is done on the
'submission' port, 587, and not on port 25, which may be blocked/diverted by an
end-user's connectivity ISP. Not all of the relevant settings are in the same
place in ~/configure, but all must be in agreement.
A caveat: Some MUA, if/as/when unable to negotiate a TLS session on the
submission port *at all*, can fall-back to attempting connection via port 25,
and not necessarily attempt authentication, as port 25 will normally accept at
least locally-deliverable mail without requiring auth or encryption.
This can be a 'surprise' vulnerability. Watch for symptoms of longer than
'normal' sending time and Exim rejection of mail for remote destinations with a
'relaying not permitted' message.
Some of the code you may need in addition to a functioning AUTH paragraph:
local_interfaces = <one or more IP on your box>
daemon_smtp_ports = 25 : 587
tls_certificate = /usr/local/etc/exim/certs/<cert name or number>